Run.dll Question

Discussion in 'malware problems & news' started by Rickster, Sep 10, 2003.

Thread Status:
Not open for further replies.
  1. Rickster

    Rickster Guest

    TDS picked up an alert on run.dll, but only 1 byte, no threat - I deleted. Likely fragment from a scheduled task I fiddled with. Examined registry and confirmed no %system% entries for that threat.

    Rarely, when transposing links in MS Word, my firewall asks if I want to run.dll as a app. Question: Is the sub-folder run.dll (23.0 KB) in c:\windows\systen32 normal? I'm sure it is, but freaks me out when it tries to access the internet. Doesn't ask if I want Word to access the net, just to run.dll as an app. Is that file required? Leave it alone? Or delete it altogether?

    Thanks, Rick (XP Home User)
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,877
    Location:
    New England
    Hey Rickster,

    Are you sure that is the full filename? On my XP Home system I have the file:

    C:\WINNT\system32\rundll32.exe

    It's size is 31.0 KB (31,744 bytes). But, I've never heard of just "run.dll"
     
  3. Rickster

    Rickster Guest

    Hi LWM...Yep, it's c:\windows\system32\ and the file run.dll is in there. Also WININIT.INI & WINNT32.LOG among the bunch. Strange we'd have different paths using the same OS - or is something amiss? I know of no other avenue to that file and there's no primary folder via Start > My Computer> C: with the title WINNT - just "Windows." Never renamed anything, except TDS. Thanks, Rick
     
  4. Rickster

    Rickster Guest

    Sorry LWM, brain damage here, I should have said run.dll.exe is there. It does say 31.0 KB (must have had a brain-fart) But since you also have this, everything is A-OK. As Gilda Radnor of SNL used to say, "Neever Minnd! Still freaks me out when it asks to connect to the net though. Best Regards, Rick
     
  5. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi Rickster,

    I would be very cautious of a file named run.dll.exe

    I would recommend that you submit it to your AV company and to TDS submit@diamondcs.com.au for them to have a look. In the meantime I would archive it in a zip file and remove the original file.

    Regards,

    Dan
     
  6. Rickster

    Rickster Guest

    Will do, thanks a bunch Dan.
     
  7. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,877
    Location:
    New England
    Agreed, "run.dll.exe" is definitely a suspicious file!
     
  8. Rickster

    Rickster Guest

    Hi Guys: Noted LWM has his run.dll.exe on path C:\WINNT\system32\rundll32.exe

    Seems to be normally supplied file. Date created matches adjacent files in system32, all before I bought the system new.

    Also here:

    http://www.liutilities.com/products/wintaskspro/processlibrary/rundll32/

    WinTasks Process Library
    rundll32 - rundll32.exe - Process Information
    Process File: rundll32 or rundll32.exe
    Process Name: Windows RUNDLL32 Helper
    Description: The Windows Rundll32 Program is used to run DLLs as programs and is used by many programs to execute functions located in a DLL file
    Common Errors: N/A
    System Process: No

    TDS full system scan is clear. The exploit version of run.dll.exe per AV, uses run.dll.exe + %system% and can be found in registry (not). So seems to boil down to whether you want to run dll's as a application. ZA list this function in program menu like any other - I block and can't think of any reason I'd use it Just a little trepidation about doing away it per above "...and is used by many programs to execute functions located in a DLL file"

    I occurs to me, the MS baseline security analyzer uses an entry of %system% but don't know if it makes use of run.dll - but the 1 byte fragment TDS originally found was shorty after using the analyzer, so that's probably the association.

    Thanks for your help - again. Rick
     
  9. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    No, run.dll.exe is *definitely* a different file than rundll32.exe

    The latter is a valid filename for an OS provided file but the former is a pretty clear indication of something wrong. If your file is actually named run.dll.exe as you stated above I would really advise archiving it so it cannot do anything while the experts analyze the file.

    ;)
     
  10. Rickster

    Rickster Guest

    Dan, I apologize for wasting your time, I meant run.dll32.exe - I had to correct myself in the first post above on that to LWM. I feel like an idiot - not even qualified to be here anymore. It all started on the TDS find and I can see I have to be careful about being very exact when expressing file names - I'm not writing some paper, this is another world and I should be more careful. I won't bother you guys again.

    Regards, Rick
     
  11. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,877
    Location:
    New England
    Hey Rick,

    It's no bother at all. We just wanted to make sure that your system was alright. :)

    As you can see, file names need to be very exact when possibly dealing with virus or trojan files. The people who make them like to hide them in plain site, hoping that an extra "." or missing a "32" from the name will make the PC owner think the file is legitimate when it isn't.

    For cases like this I almost always use copy/paste of file names and directories, especially where I might make a typo, just so I don't post something that will make other people think they have a virus if their filename doesn't exactly match mine.

    So keep on doing what you're doing - looking at everything and asking questions - it's the best way.
     
  12. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi Rickster,

    As LWM stated, it is no bother at all! If we didn't like responding to questions/concerns we wouldn't be doing this. I really hope you don't feel disinclined to post other questions or responses!

    It's very much part of this sort of work that we feel like idiots at times, I hope you don't take it to heart. I know I have made a *plethora* of mistypes in the forum :p and have made ample use of the edit post feature :D

    Regards,

    Dan
     
Loading...
Thread Status:
Not open for further replies.